Researchers have disclosed vulnerabilities in multiple WordPress plugins that, if successfully exploited, could allow an attacker to run arbitrary code and take over a website in certain scenarios.
The flaws were uncovered in Elementor, a website builder plugin used on more than seven million sites, and WP Super Cache, a tool used to serve cached pages of a WordPress site.
According to Wordfence, which discovered the security weaknesses in Elementor, the bug concerns a set of stored cross-site scripting (XSS) vulnerabilities (CVSS score: 6.4), which occurs when a malicious script is injected directly into a vulnerable web application.
In this case, due to a lack of validation of the HTML tags on the server-side, a bad actor can exploit the issues to add executable JavaScript to a post or page via a crafted request.
“Since posts created by contributors are typically reviewed by editors or administrators before publishing, any JavaScript added to one of these posts would be executed in the reviewer’s browser,” Wordfence said in a technical write-up. “If an administrator reviewed a post containing malicious JavaScript, their authenticated session with high-level privileges could be used to create a new malicious administrator, or to add a backdoor to the site. An attack on this vulnerability could lead to site takeover.”
Multiple HTML elements such as Heading, Column, Accordion, Icon Box, and Image Box were found vulnerable to the stored XSS attack, thereby making it possible for any user to access the Elementor editor and add an executable JavaScript.
Given that the flaws take advantage of the fact that dynamic data entered in a template could be leveraged to include malicious scripts intended to launch XSS attacks, such behavior can be thwarted by validating the input and escaping the output data so that the HTML tags passed as inputs are rendered harmless.
Separately, an authenticated remote code execution (RCE) vulnerability was discovered in WP Super Cache that could allow an adversary to upload and execute malicious code with the goal of gaining control of the site. The plugin is reported to be used on more than two million WordPress sites.
Following responsible disclosure on February 23, Elementor fixed the issues in version 3.1.4 released on March 8 by hardening “allowed options in the editor to enforce better security policies.” Likewise, Automattic, the developer behind WP Super Cache, said it addressed the “authenticated RCE in the settings page” in version 1.7.2.
It’s highly recommended that users of the plugins update to the latest versions to mitigate the risk associated with the flaws.